For the best web experience, please use IE11+, Chrome, Firefox, or Safari
OneLogin + One Identity delivering IAM together. Learn more
Home / Identity and Access Management 101 / An end-to-end guide on knowledge-based authentication (KBA)

An end-to-end guide on knowledge-based authentication (KBA)

Knowledge-based authentication (KBA) is a security measure that verifies a user's identity by asking  a series of questions that only the legitimate user should know. These questions and their answers are typically entered into the system by the user while creating their account.

How does knowledge-based authentication work?

KBA verification uses questions about personal information instead of credentials like username and password. Here’s a breakdown of how the process works:

  1. A new user signs up for a service or application that uses KBA.
  2. Depending on the implementation, the system either selects a predetermined set of security questions or prompts the user to create their own. The questions focus on memorable personal details that wouldn’t be easily guessable by anyone other than the user.
  3. The user answers all the questions and their answers are stored in a secure, encrypted database.
  4. The user attempts to log into the service or application, and they are presented with a preconfigured number of security questions from the ones chosen during signup. Depending on the configuration of the user authentication system, KBA is used as either:
    1. A primary authentication factor, where the user is immediately prompted with challenge questions.
    2. A secondary factor for multi factor authentication (MFA), where the user first enters their username and password, followed by challenge questions.
    3. A risk-based authentication method, triggered by pre-set risk factors such as unusual login attempts, new devices or accessing sensitive account information.
  5. The user answers the questions, and the system is responsible for validating them against the ones stored in the database.
  6. If the answers match, the user is authenticated and granted access.
How does knowledge-based authentication work?

Examples of KBA questions

Traditional KBA questions may ask about a user’s favorite color or their nickname, but these can be vulnerable to extraction via social media or public records. To ensure strong authentication, KBA questions must be secure and personalized, making it difficult for hackers to guess them. Here are some examples:

  1. Memorable events
    • What was the name of the restaurant you went to on your 18th birthday?
    • What was the name of your favorite teacher and the subject they taught?
    • In which city did you meet your spouse/partner for the first time?
  2. Personal details
    • What was the name of the book your grandfather gave you as a child?
    • What was the name of the street where you learned to ride a bike?
    • What is the name of the first concert you attended, and who was the opening act?
  3. Combined information
    • What was the model of your first ever car, and what was your favorite road trip destination in that car?
    • What was the name of the first place you traveled to internationally, and how many days did you stay?
    • What was the name of your childhood pet, and what was a funny trick it could do?

Static vs dynamic knowledge-based authentication

Based on how the questions are presented and managed, KBA can be categorized into two types: static and dynamic.

  1. Static knowledge-based authentication
    As the name indicates, static KBA uses a predefined set of security questions that are established during account signup and remain unchanged throughout a user's interaction. Benefits of static KBA are:

    • It’s easy to implement for businesses and requires less ongoing maintenance.
    • The users don’t have to remember too much beyond a password as they have to answer the same questions each time.

    However, with the rise of social media and data breaches, attackers can potentially gather enough personal data to answer static KBA questions.

  2. Dynamic knowledge-based authentication
    Instead of configuring static questions for user accounts, dynamic KBA generates questions on-the-fly based on real-time data associated with a user’s account or past interactions. For example, an online brokerage may ask a user about a recent stock purchase or account activity before granting authorization for sensitive actions. Or a credit bureau may ask to confirm previous residency addresses.

    Benefits of the dynamic approach are:

    • It becomes significantly harder for attackers to predict the questions, as they are not based on predetermined information.
    • The identity provider or authentication system can adapt to changes in user data. For example, it can use recent purchase history or past login locations to formulate questions.

    However, dynamic KBA implementations are generally more complex, require extensive data sets and ongoing maintenance.

Why knowledge-based authentication is often used

Here are a few reasons why you should consider using KBA for verifying your users:

  • It provides a familiar method of authentication that users are accustomed to, reducing friction during login attempts.
  • KBA often serves as a second line of defense after passwords. Even if an attacker cracks a password through brute force attacks or phishing scams, they would still need to answer questions correctly to gain access. That is why password vaults alone are not enough.
  • KBA solutions can be customized to suit different levels of security needs, from basic account access control to sensitive financial transactions.
  • KBA can also assist in fraud prevention and account takeover defense by authenticating user identities through personal information.
  • It’s also possible to combine KBA with session management tools to implement continuous authentication. In such a setup, users may be prompted with KBA questions at strategic points during their session, especially before high-risk actions.

Alternatives to knowledge-based authentication

Next, we will explore some alternatives to KBA:

  1. Biometrics
    Biometric authentication uses unique physical or behavioral characteristics for user verification. Examples of biometrics are: fingerprint, facial recognition, iris scans or voice patterns. For secure storage of biometric data, encryption is crucial.
  2. Passkeys
    Passkey authentication is a digital credential stored on a user's device (e.g. phone, computer) that can be used to log in to websites and applications that support them, often leveraging standards like OpenID Connect (OIDC) for a seamless experience.
  3. Security tokens
    Physical or digital tokens that generate unique codes or one-time passwords (OTP) for login verification. A security token is often used in conjunction with passwords, and can sometimes be integrated with OAuth for token-based authentication flows.
  4. Behavioral authentication
    This approach analyzes a user's typical login behavior patterns (typing speed, location, device) and flags deviations as potential threats. Logging of such deviations is crucial to identify and respond to threats in real time.

Conclusion

Organizations can choose to add knowledge-based authentication to their security strategy. However, users have bad password practices, which likely extend to security questions as well. Security questions aren't very secure because answers can be identified. If using them, it is recommended to add additional authentication methods and selecting more questions than required to reduce risk. Properly implemented, knowledge-based authentication can enhance your cybersecurity posture and identity management.

Try OneLogin for Free

Experience OneLogin’s Access Management capabilities first-hand for 30 days
Try It Now